Container Management Utility Run Inside A Container
This rule detects when a container management binary is run from inside a container. These binaries are critical components of many containerized environments, and their presence and execution in unauthorized containers could indicate compromise or a misconfiguration.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/04/26"
3integration = ["cloud_defend"]
4maturity = "production"
5updated_date = "2025/01/15"
6
7[rule]
8author = ["Elastic"]
9description = """
10This rule detects when a container management binary is run from inside a container. These binaries are critical
11components of many containerized environments, and their presence and execution in unauthorized containers could
12indicate compromise or a misconfiguration.
13"""
14false_positives = [
15 """
16 There is a potential for false positives if the container is used for legitimate administrative tasks that require
17 the use of container management utilities, such as deploying, scaling, or updating containerized applications. It is
18 important to investigate any alerts generated by this rule to determine if they are indicative of malicious activity
19 or part of legitimate container activity.
20 """,
21]
22from = "now-6m"
23index = ["logs-cloud_defend*"]
24interval = "5m"
25language = "eql"
26license = "Elastic Licence v2"
27name = "Container Management Utility Run Inside A Container"
28risk_score = 21
29rule_id = "6c6bb7ea-0636-44ca-b541-201478ef6b50"
30severity = "low"
31tags = [
32 "Data Source: Elastic Defend for Containers",
33 "Domain: Container",
34 "OS: Linux",
35 "Use Case: Threat Detection",
36 "Tactic: Execution",
37 "Resources: Investigation Guide",
38]
39timestamp_override = "event.ingested"
40type = "eql"
41
42query = '''
43process where container.id: "*" and event.type== "start"
44 and process.name: ("dockerd", "docker", "kubelet", "kube-proxy", "kubectl", "containerd", "runc", "systemd", "crictl")
45'''
46note = """## Triage and analysis
47
48> **Disclaimer**:
49> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
50
51### Investigating Container Management Utility Run Inside A Container
52
53Container management utilities like Docker and Kubernetes are essential for orchestrating and managing containerized applications. They facilitate tasks such as deployment, scaling, and networking. However, adversaries can exploit these tools to execute unauthorized commands within containers, potentially leading to system compromise. The detection rule identifies suspicious execution of these utilities within containers, signaling possible misuse or misconfiguration, by monitoring specific process activities and event types.
54
55### Possible investigation steps
56
57- Review the specific container ID where the suspicious process was executed to determine its purpose and origin.
58- Examine the process name and command line arguments to understand the context of the execution and identify any anomalies or unauthorized commands.
59- Check the user and permissions associated with the process to assess if it aligns with expected roles and access levels for container management tasks.
60- Investigate the container's creation and deployment history to identify any recent changes or deployments that could explain the presence of the management utility.
61- Analyze network activity associated with the container to detect any unusual connections or data transfers that might indicate malicious activity.
62- Correlate the event with other security alerts or logs to identify patterns or related incidents that could provide additional context or evidence of compromise.
63
64### False positive analysis
65
66- Routine maintenance tasks within containers can trigger the rule. Exclude known maintenance scripts or processes by adding them to an allowlist if they frequently execute container management utilities.
67- Development and testing environments often run container management commands for legitimate purposes. Consider excluding these environments from monitoring or adjust the rule to focus on production environments only.
68- Automated deployment tools may execute container management commands as part of their workflow. Identify these tools and create exceptions for their activities to prevent false positives.
69- System updates or patches might involve running container management utilities. Monitor update schedules and temporarily adjust the rule to avoid unnecessary alerts during these periods.
70- Legitimate administrative actions by authorized personnel can trigger the rule. Implement user-based exceptions for known administrators to reduce false positives while maintaining security oversight.
71
72### Response and remediation
73
74- Immediately isolate the affected container to prevent further unauthorized access or execution of commands. This can be done by stopping the container or disconnecting it from the network.
75- Review the container's configuration and access controls to identify any misconfigurations or unauthorized access permissions that may have allowed the execution of container management utilities.
76- Conduct a thorough analysis of the container's logs and process activities to determine the extent of the compromise and identify any additional malicious activities or lateral movement attempts.
77- Remove any unauthorized or suspicious binaries and scripts from the container to prevent further exploitation.
78- Patch and update the container image and underlying host system to address any known vulnerabilities that may have been exploited.
79- Implement stricter access controls and monitoring on container management utilities to ensure they are only accessible by authorized users and processes.
80- Escalate the incident to the security operations team for further investigation and to assess the need for broader security measures across the container environment."""
81
82
83[[rule.threat]]
84framework = "MITRE ATT&CK"
85[[rule.threat.technique]]
86id = "T1609"
87name = "Container Administration Command"
88reference = "https://attack.mitre.org/techniques/T1609/"
89
90
91[rule.threat.tactic]
92id = "TA0002"
93name = "Execution"
94reference = "https://attack.mitre.org/tactics/TA0002/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Container Management Utility Run Inside A Container
Container management utilities like Docker and Kubernetes are essential for orchestrating and managing containerized applications. They facilitate tasks such as deployment, scaling, and networking. However, adversaries can exploit these tools to execute unauthorized commands within containers, potentially leading to system compromise. The detection rule identifies suspicious execution of these utilities within containers, signaling possible misuse or misconfiguration, by monitoring specific process activities and event types.
Possible investigation steps
- Review the specific container ID where the suspicious process was executed to determine its purpose and origin.
- Examine the process name and command line arguments to understand the context of the execution and identify any anomalies or unauthorized commands.
- Check the user and permissions associated with the process to assess if it aligns with expected roles and access levels for container management tasks.
- Investigate the container's creation and deployment history to identify any recent changes or deployments that could explain the presence of the management utility.
- Analyze network activity associated with the container to detect any unusual connections or data transfers that might indicate malicious activity.
- Correlate the event with other security alerts or logs to identify patterns or related incidents that could provide additional context or evidence of compromise.
False positive analysis
- Routine maintenance tasks within containers can trigger the rule. Exclude known maintenance scripts or processes by adding them to an allowlist if they frequently execute container management utilities.
- Development and testing environments often run container management commands for legitimate purposes. Consider excluding these environments from monitoring or adjust the rule to focus on production environments only.
- Automated deployment tools may execute container management commands as part of their workflow. Identify these tools and create exceptions for their activities to prevent false positives.
- System updates or patches might involve running container management utilities. Monitor update schedules and temporarily adjust the rule to avoid unnecessary alerts during these periods.
- Legitimate administrative actions by authorized personnel can trigger the rule. Implement user-based exceptions for known administrators to reduce false positives while maintaining security oversight.
Response and remediation
- Immediately isolate the affected container to prevent further unauthorized access or execution of commands. This can be done by stopping the container or disconnecting it from the network.
- Review the container's configuration and access controls to identify any misconfigurations or unauthorized access permissions that may have allowed the execution of container management utilities.
- Conduct a thorough analysis of the container's logs and process activities to determine the extent of the compromise and identify any additional malicious activities or lateral movement attempts.
- Remove any unauthorized or suspicious binaries and scripts from the container to prevent further exploitation.
- Patch and update the container image and underlying host system to address any known vulnerabilities that may have been exploited.
- Implement stricter access controls and monitoring on container management utilities to ensure they are only accessible by authorized users and processes.
- Escalate the incident to the security operations team for further investigation and to assess the need for broader security measures across the container environment.
Related rules
- File Made Executable via Chmod Inside A Container
- Interactive Exec Command Launched Against A Running Container
- Netcat Listener Established Inside A Container
- Suspicious Interactive Shell Spawned From Inside A Container
- AWS Credentials Searched For Inside A Container